Demand for cyber insurance has skyrocketed lately, and companies seem to be taking advantage of it quickly. A new report by cybersecurity firm Delinea finds that nearly 80% of organizations that have coverage have used it, and 50% have used it more than once. Yet only 30% have policies covering critical risks associated with ransomware attacks. As a result, demands from insurers to implement security controls are already increasing: more than half say they are required to conduct cybersecurity awareness training, and just under half are being asked to implement measures such as MFA and regular data backups.
Insurers are increasing costs, requirements in the booming cyber insurance market
The Covid-19 pandemic has unleashed an unprecedented wave of cybercrime, particularly ransomware, which in turn has fueled demand for cyber insurance. Insurers have already scaled back coverage and increased premiums in response, but based on continued usage patterns, it’s likely the market adjustment is ongoing.
Businesses have struggled to get adequate cyber coverage over the past year, with other recent studies showing that the majority do not carry enough to offset the cost of a ransomware attack. Delinea’s findings support this trend, with just under one in three respondents saying they are insured against critical risks such as ransomware, ransomware negotiations, and ransom payment decisions. Just under half say they are covered for data recovery costs.
This is despite the fact that 93% of respondents said their cyber insurance applications were approved on the first try, and the same number also said their companies allocated adequate budget for policy purchases. Overall, 70% say they applied for cyber insurance, and 65% of them say the approval process took less than three months.
40% of respondents requested new coverage based on the overall risk mitigation policy, and 25% said news about recent ransomware incidents was a key reason for this decision. 33% indicated that the request for more or better reporting came directly from senior management or a board of directors.
The first expected reaction to the widespread use of coverage would be an increase in premium amounts, and 75% of respondents say this has happened to them. And 65% of those respondents said the premium has increased by at least 50% and in some cases by as much as 100%. But insurers are not stopping at rising costs; They’re also demanding new and tighter security controls to reduce the likelihood of a data breach leading to a claim. 51% of respondents say cybersecurity awareness training is now mandatory to maintain coverage, and 47% say they must implement antivirus and anti-malware solutions, MFA, and regular data backups. When insurers establish Privileged Access Management requirements, 43% of respondents say they already have the appropriate elements in place, and 42% say they need to purchase new solutions to meet the criteria.
Improving security controls is increasingly becoming a requirement to maintain cyber coverage
At first glance, the fact that 80% of policyholders report damage in such a short time does not appear to be a sustainable business model. For comparison, some estimates put the number of motor policyholders making claims each year at around 6%. There are limited options in terms of rising costs and limiting coverage circumstances, making mandatory security controls the natural next area for insurers to expand into.
At the moment, insurers usually simply provide policyholders with checklists of minimum security checks. However, this does not necessarily mean that they are monitored or used properly. A likely next development, possibly very soon for the highest risk sectors, is an industry standard requirement to actually demonstrate the effectiveness of the defensive stance in a simulated attack.
Another trend that has already been documented is that insurers are simply fleeing ransomware coverage, telling policyholders that they are on their own in this particular area. Ransomware is, on average, the most damaging segment of cybercrime, with global average demand now reaching a quarter of a million dollars (rising to over $1 million in some countries like the US). The cleaning costs are also at least a few times higher than the demand.
At least those looking for new or improved cyber insurance coverage should reckon that the intention of relying on the policy (or government help) to get out of trouble is no longer acceptable in the current environment. A change in insurance policies now is an ideal opportunity to review security controls, mitigation strategies and data backup systems.
Avishai Avivi, CISO at SafeBreach, advises companies that have relied solely on insurance for their data breach management plan to immediately review their approach: “Cyber insurance helps cybersecurity professionals manage risk by transferring the costs of a data breach. However, if 80% of companies with cyber insurance are actually using it, insurance providers will soon have to adjust their calculations.”
“To that end, more and more cyber insurance companies are requiring their customers to implement specific security controls before offering insurance coverage. The challenge is that this does not necessarily guarantee that their customers are using these controls properly,” added Avivi. “As this trend continues, we anticipate that cyber insurance companies will require or incentivize companies seeking coverage to implement security validation and attacker simulation as part of their ongoing security program. This is especially true for customers in regulated industries or with very high-risk digital assets such as personal records.”